Maybe OT, but can't help myself: TLS in 2.1.3

[Harry Rüter <harry_rueter@gmx.de>]

Hi list,

i'm having serious trouble with generating SSL/TLS-certificates.

Obviously it's not a ldap-problem, but i think somebody on the list 
(if not everybody) must have done it an could help me.

The story :

I'm migrating from 2.0.25 to 2.1.3.

In 2.1.3 the certificates don't have to be self-signed
(which was allowed in 2.0.x).

Now, i tried to generate the certificates with the openssl-tool,
but i didn't succeed for a week ....

Here's what i've done.

1) I create a self-signed certificate like i did always :

openssl req -new -x509 -days 365 -out /usr/local/ssl/CAkey/certs/CA.pem
\ 
-keyout /usr/local/ssl/CAkey/private/CAkey.pem

2) Then i create a sign request

openssl req -nodes -new -days 365 \ 
-out /usr/local/ssl/CAkey/private/CertReq.pem \
-keyout /usr/local/ssl/CAkey/private/Certkey.pem

3) I sign it with CA created in first step

openssl ca -in /usr/local/ssl/CAkey/private/CertReq.pem \
-out /usr/local/ssl/CAkey/private/Cert.pem

I think that's correct so far and runs without an error ...
It produces a file 00.pem in /usr/local/ssl/CAkey/newcerts.

Now, how do i "connect" this with the TLSxxx-directives in
slapd.conf.

I read several tutorials and tried almost everything,
but all i get is an errormessage :

----snipp----
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:
     SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:964
----snipp----

So how do i have to configurate the TLS-directives ????

TLSCertificateFile      /usr/local/ssl/CAkey/???
TLSCertificateKeyFile   /usr/local/ssl/CAkey/???
TLSCACertificateFile    /usr/local/ssl/CAkey/???

If someone would be so kind to help me in my stupidness ...
and just tells me how to fill the ???? with the correct "files"
i would be very happy ... 

greets Harry